CI: Added notarisation to macOS builds

Author: drowaudio

azure-pipelines.yml

@@ -1,5 +1,5 @@
 variables:
-  - group: VST2_SDK
+  - group: pluginval  
 
 jobs:
 - job: linux
@@ -29,16 +29,30 @@ jobs:
     inputs:
       artifactName: 'Change List'
       targetPath: 'bin/linux'
+
 - job: macOS
   pool:
-    vmImage: 'macOS-10.13'
+    vmImage: 'macOS-10.14'
   steps:
+  - task: InstallAppleCertificate@2
+    inputs:
+      certSecureFile: 'Application.p12'
+      certPwd: '$(CERT_PASSWORD)'
+      keychain: 'temp'
+  - task: InstallAppleCertificate@2
+    inputs:
+      certSecureFile: 'Installer.p12'
+      certPwd: '$(CERT_PASSWORD)'
+      keychain: 'temp'
   - script: tests/mac_tests
     displayName: 'macOS Build'
+  - script: install/notarise ../bin/mac/pluginval_macOS.zip com.tracktion.pluginval $(AC_USERNAME) $(AC_PASSWORD)
+    displayName: 'notarise'
   - task: PublishPipelineArtifact@0
     inputs:
       artifactName: 'macOS'
       targetPath: 'bin/mac'
+
 - job: windows
   pool:
     vmImage: 'vs2017-win2016'

install/mac_build

@@ -43,6 +43,8 @@ if [ -n "$VST2_SDK_URL" ]; then
     curl -O $VST2_SDK_URL
 	unzip vstsdk2.4.zip
     if [ -d "vstsdk2.4" ]; then VST2_SDK_DIR="$ROOT"/tmp/vstsdk2.4; fi
+else
+	echo "Not building with VST2 support. To enable VST2 support, set the VST2_SDK_URL environment variable"
 fi
 
 #============================================================
@@ -69,6 +71,19 @@ rm -rf $ROOT/Builds/MacOSX/build/$PROJECT_NAME.build
 xcodebuild -configuration Release clean
 xcodebuild -configuration Release GCC_TREAT_WARNINGS_AS_ERRORS=YES
 
+#============================================================
+#   Sign with hardened runtime
+#============================================================
+if [ -n "$SIGN_ID" ]; then
+	codesign --entitlements "$ROOT"/Builds/MacOSX/pluginval.entitlements --force -s "$SIGN_ID" -v "$APP_FILE" --deep --strict --options=runtime
+
+	echo "\nVerifying ..."
+	spctl -vvv --assess --type exec "$APP_FILE"
+	codesign -dvv "$APP_FILE"
+	codesign -vvv --deep --strict "$APP_FILE"
+else
+	echo "Not notarising. To enable, set the SIGN_ID environment variable"
+fi
 
 #============================================================
 #   Copy to deployment directory

install/notarise

@@ -0,0 +1,162 @@
+#!/bin/sh -e
+
+#============================================================
+#   Before running this script, sign any apps with
+#   hardended runtime:
+#------------------------------------------------------------
+#	codesign --force -s "$signID" -v "$appFile" --deep --strict --options=runtime
+#
+#	echo "\nVerifying ..."
+#	spctl -vvv --assess --type exec "$appFile"
+#	codesign -dvv "$appFile"
+#	codesign -vvv --deep --strict "$appFile"
+#------------------------------------------------------------
+
+
+#============================================================
+# Notarise either a pkg installer or zip archive
+#------------------------------------------------------------
+#  Environment variables to set:
+#    arg 1		Set to the app path
+#    arg 2		Set to the bundle ID
+#    arg 3		Set to the app specific Apple username
+#    arg 4		Set to the app specific Apple password
+#------------------------------------------------------------
+
+ROOT=$(cd "$(dirname "$0")"; pwd)
+cd $ROOT
+
+APP_PATH="$1"
+BUNDLE_ID="$2"
+AC_USERNAME="$3"
+AC_PASSWORD="$4"
+
+if [ -z "$APP_PATH" ]; then
+	echo "ERROR: First arg needs to be the path to the app or pkg to notarise" && exit 1
+fi
+
+if [ -z "$BUNDLE_ID" ]; then
+	echo "ERROR: Second arg needs to be a bundle ID to use e.g. com.company.product" && exit 1
+fi
+
+if [ -z "$AC_USERNAME" ]; then
+	echo "ERROR: Third arg needs to be set the the app specific Apple username" && exit 1
+fi
+
+if [ -z "$AC_PASSWORD" ]; then
+	echo "ERROR: Fourth arg needs to be set the the app specific Apple password" && exit 1
+fi
+
+
+#============================================================
+# Setup variables
+#============================================================
+PATH_TO_NOTARISE="$APP_PATH"
+EXTENSION="${PATH_TO_NOTARISE##*.}"
+echo "$EXTENSION"
+
+TMP="$ROOT/tmp"
+rm -rf "$TMP"
+mkdir "$TMP"
+
+function onExit {
+  rm -rf "$TMP"
+}
+trap onExit EXIT
+
+# Create zip to notarise
+if [ "$EXTENSION" = "app" ]; then
+	ZIP_PATH="$TMP/upload.zip"
+	PATH_TO_NOTARISE="$ZIP_PATH"
+
+	#============================================================
+	# First check if notarization will succeed
+	#============================================================
+	echo "============================================================"
+	echo "Validating file:"
+	spctl -vvv --assess --type exec "$APP_PATH"
+	codesign -dvv "$APP_PATH"
+	codesign -vvv --deep --strict "$APP_PATH"
+
+	# Create a ZIP archive suitable for altool
+	rm -rf "$ZIP_PATH"
+	/usr/bin/ditto -c -k --keepParent "$APP_PATH" "$ZIP_PATH"
+fi
+
+if [ ! -f "$PATH_TO_NOTARISE" ] && [ ! -d "$PATH_TO_NOTARISE" ]; then
+	echo "ERROR: No file to notarise at: $PATH_TO_NOTARISE" && exit 1
+fi
+
+
+#============================================================
+# Upload to notarization service
+#============================================================
+echo "============================================================"
+echo "Uploading to notarization service:"
+
+OUTPUT=$(xcrun altool --notarize-app --primary-bundle-id "$BUNDLE_ID" --username "$AC_USERNAME" --password "$AC_PASSWORD" --file "$PATH_TO_NOTARISE" --output-format xml)
+OUTPUT_FILE="$TMP/result.plist"
+rm -f "$OUTPUT_FILE"
+echo "$OUTPUT" > "$OUTPUT_FILE"
+REQUEST_UID=$(/usr/libexec/PlistBuddy -c "Print notarization-upload:RequestUUID" "$OUTPUT_FILE")
+rm -f "$OUTPUT_FILE"
+echo "$REQUEST_UID"
+
+
+#============================================================
+# Check status
+#============================================================
+echo "============================================================"
+echo "Checking notarization status:"
+
+tries=0
+for (( ; ; )); do
+	echo "`pwd`"
+	echo "xcrun altool --notarization-info "$REQUEST_UID" --username "$AC_USERNAME" --password "$AC_PASSWORD" --output-format xml"
+
+	if [ "$tries" -gt 24 ]; then
+		exit 1
+	fi
+
+	set +e
+	STATUS_PLIST=$(xcrun altool --notarization-info "$REQUEST_UID" --username "$AC_USERNAME" --password "$AC_PASSWORD" --output-format xml)
+	if [ $? -ne 0 ]; then
+		sleep 5
+		tries=$((tries+1))
+		continue
+	fi
+	set -e
+
+	STATUS_FILE="$TMP/status.plist"
+	echo "$STATUS_FILE"
+	rm -f "$STATUS_FILE"
+	echo "$STATUS_PLIST" > "$STATUS_FILE"
+	STATUS=$(/usr/libexec/PlistBuddy -c "Print notarization-info:Status" "$STATUS_FILE")
+    echo "  STATUS: $STATUS"
+
+	case "$STATUS" in
+        "success")
+			echo "  COMPLETED:" $(/usr/libexec/PlistBuddy -c "Print notarization-info:LogFileURL" "$STATUS_FILE")
+			break
+            ;;
+        "in progress")
+            sleep 5
+            ;;
+        *)
+			echo "  ERROR:" $(/usr/libexec/PlistBuddy -c "Print notarization-info:'Status Message'" "$STATUS_FILE")
+			echo "  LOG_URL:" $(/usr/libexec/PlistBuddy -c "Print notarization-info:LogFileURL" "$STATUS_FILE")
+			exit 1
+			;;
+	esac
+done
+
+
+#============================================================
+# Staple to binary
+#============================================================
+if [ "$EXTENSION" != "zip" ]; then
+	echo "============================================================"
+	echo "Stapling certificate:"
+	xcrun stapler staple "$APP_PATH"
+	xcrun stapler staple -v "$APP_PATH"
+fi

pluginval.jucer

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 
-<JUCERPROJECT name="pluginval" projectType="guiapp" jucerVersion="5.4.3" id="IA2Ov0"
+<JUCERPROJECT name="pluginval" projectType="guiapp" jucerVersion="5.4.5" id="IA2Ov0"
               version="0.2.3" companyName="Tracktion" headerPath="../../modules/juce/modules/juce_audio_processors/format_types/VST3_SDK">
   <MAINGROUP id="zUhKLj" name="pluginval">
     <FILE id="gV5MZv" name="CHANGELIST.md" compile="0" resource="0" file="CHANGELIST.md"/>
@@ -44,12 +44,13 @@
   </LIVE_SETTINGS>
   <EXPORTFORMATS>
     <XCODE_MAC targetFolder="Builds/MacOSX" extraCompilerFlags="-Wall -Wextra -Wconversion -Wconstant-conversion -Wint-conversion -Woverloaded-virtual -Wconditional-uninitialized -Wunused-parameter -Wshorten-64-to-32 -Wstrict-aliasing -Wshadow -Wreorder -Wunused-private-field -Wbool-conversion -Wno-missing-field-initializers -Wno-ignored-qualifiers -Wunreachable-code"
-               smallIcon="k3tDOE" bigIcon="k3tDOE" vst3Folder="modules/vst3">
+               smallIcon="k3tDOE" bigIcon="k3tDOE" vst3Folder="modules/vst3"
+               hardenedRuntime="1" hardenedRuntimeOptions="com.apple.security.cs.allow-unsigned-executable-memory,com.apple.security.cs.disable-library-validation">
       <CONFIGURATIONS>
         <CONFIGURATION isDebug="1" name="Debug" customXcodeFlags="CLANG_WARN_SUSPICIOUS_IMPLICIT_CONVERSION=YES, GCC_WARN_PEDANTIC=YES"
                        targetName="pluginval"/>
         <CONFIGURATION isDebug="0" name="Release" customXcodeFlags="CLANG_WARN_SUSPICIOUS_IMPLICIT_CONVERSION=YES, GCC_WARN_PEDANTIC=YES"
-                       targetName="pluginval"/>
+                       targetName="pluginval" linkTimeOptimisation="0"/>
       </CONFIGURATIONS>
       <MODULEPATHS>
         <MODULEPATH id="juce_core" path="modules/juce/modules"/>